CodeIgniter Forums
general URL issue - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: general URL issue (/thread-10158.html)



general URL issue - El Forum - 07-21-2008

[eluser]scaryjack[/eluser]
hello there,

IsnĀ“t there a way to "hide" in the URL which controller(with parameter) is called?

An example:
right now I have implemented an user-articel page. You can read articles by calling the controller and pass the article-type as id(for sorting). So if you want to see all "news" article you would call the controller with showArticles and also pass the id(e.g. 1).
in the URL you the see: http://anyURL.com/index.php/showArticles/1.

is there a way to hide the last part(including the controller)?
I see there some security problems...If you look at the URL you just can play wih the parameters directly and the maybe jump to some pages which should not be allowed to the user.
By hiding the controller this would be safer.
Since there are also no real before/after filters like in ruby or cake, you cannot check before each function call if the user is allowed to see the page.

Do you have maybe ideas to avoid/imporve this


general URL issue - El Forum - 07-21-2008

[eluser]Michael Wales[/eluser]
URI Routing can get rid of the controller name - you still need a unique identifier to let your application know which subset of data to actually load though.


general URL issue - El Forum - 07-21-2008

[eluser]Colin Williams[/eluser]
Quote:I see there some security problems...If you look at the URL you just can play wih the parameters directly and the maybe jump to some pages which should not be allowed to the user.

A good reason to not have "secret URLs" as your only layer of security. There are more robust solutions, like calling access checks when appropriate throughout your code.


general URL issue - El Forum - 07-21-2008

[eluser]wiredesignz[/eluser]
Dare I post this with Colin around.

Quote:Since there are also no real before/after filters like in ruby or cake, you cannot check before each function call if the user is allowed to see the page.

Modular Extensions HMVC allows you to autoload a controller (to mimic the before filter) before the constructor of the called controller is finished running, this would allow user authentication to be verified and an error flag set or the process aborted if needed.

NOTE:
Nothing in Modular Extensions forces you to use modules in your application, ME will load ANY controller you specify.


general URL issue - El Forum - 07-21-2008

[eluser]Colin Williams[/eluser]
Don't worry, wiredesignz. I'll actually use ME before I dare say anything about it again. On the topic though, I don't see anything routing can do to secure your application.